[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200903084033.GN2639@vkoul-mobl>
Date: Thu, 3 Sep 2020 14:10:33 +0530
From: Vinod Koul <vkoul@...nel.org>
To: trix@...hat.com
Cc: yung-chuan.liao@...ux.intel.com,
pierre-louis.bossart@...ux.intel.com, sanyog.r.kale@...el.com,
natechancellor@...il.com, ndesaulniers@...gle.com,
shreyas.nc@...el.com, alsa-devel@...a-project.org,
linux-kernel@...r.kernel.org, clang-built-linux@...glegroups.com
Subject: Re: [PATCH v2] soundwire: fix double free of dangling pointer
On 02-09-20, 13:26, trix@...hat.com wrote:
> From: Tom Rix <trix@...hat.com>
>
> clang static analysis flags this problem
>
> stream.c:844:9: warning: Use of memory after
> it is freed
> kfree(bus->defer_msg.msg->buf);
> ^~~~~~~~~~~~~~~~~~~~~~~
>
> This happens in an error handler cleaning up memory
> allocated for elements in a list.
>
> list_for_each_entry(m_rt, &stream->master_list, stream_node) {
> bus = m_rt->bus;
>
> kfree(bus->defer_msg.msg->buf);
> kfree(bus->defer_msg.msg);
> }
>
> And is triggered when the call to sdw_bank_switch() fails.
> There are a two problems.
>
> First, when sdw_bank_switch() fails, though it frees memory it
> does not clear bus's reference 'defer_msg.msg' to that memory.
>
> The second problem is the freeing msg->buf. In some cases
> msg will be NULL so this will dereference a null pointer.
> Need to check before freeing.
Applied, thanks
--
~Vinod
Powered by blists - more mailing lists